> Exactly. Changing the OS is a long way off if people want to use these
> technologies today.
I agree completely, nothing is going to change overnight. What I
would like to do is encourage all of us to look towards the future.
Eventually, we can have our cake and eat it too (have something with a
great UX *and* be secure).
That said, what I would like to push for is a updating the OAuth spec
(and Twitter's implementation) to support non-browser-based
authentication gateways, as I described in link [1].
As pointed out, this solution has one flaw, and that it is still
requires the provider to trust the "owner" of the authentication
gateway... which, until OS vendors provide a "blessed" gateway, would
be the apps themselves. OAuth purists wouldn't like this because it
requires trusting apps, but that point is moot given the "embedded web
view" workarounds so many apps are using (as pointed out in prior
posts, and in the linked discussion thread).
As I wrote on my blog, we can build a system today that leverages [an
updated version of] OAuth, has great UX and can be upgraded to
something perfectly secure once OS vendors get on board. Until then,
we'd have a system that is *just* as secure as Basic Authentication,
as it would require users to trust the clients (consumers) that they
use... (and if you use any email client today, well, you'd be a
hypocrite to complain).
Twitter folks helped *invent* OAuth, and it's a really clever/creative
solution. It would be awesome if they were the first to go live with
an even better implementation of it.
Loren